More recently it has been linked with multi-platform malware frameworks and fileless malware campaigns.
LAZARUS GROUP APT WINDOWS
Lazarus has strong associations with the Fallchill remote access tool for Windows and similar capabilities that target MacOS, Android, and Linux.
What historically made Lazarus distinct – less so as time passes, were techniques (such as protocol impersonation) used in its malware. For example, some researchers group all activity directed at banks under BlueNoroff (see below), others fold it under Lazarus. And according to the DoJ’s Park indictment, the group responsible (if only in part) for WannaCry 2.0.īecause of the clustering problems described earlier, it’s difficult – based on what’s published – to know where this crew stops and all the others begin. Let’s start with the group that always gets the headlines. “The Lazarus Group”Īka Temp.Hermit, Labyrinth Chollima, RGB-D3, ZINC, Covellite, NICKEL ACADEMY And our attempts to assign these groups some personality, well, that just makes our lives more bearable. Bucketing the activity provides a clearer picture of North Korea’s targeting habits and the risks that they pose so we can better predict and defend against them.īut first, a few caveats: linking the names different analysts give to each cluster of activity doesn’t make those groups synonymous.
LAZARUS GROUP APT CRACK
Now, we could sit back and go all angry panda whenever we see an analyst get it wrong, or we could have our own crack at defining who’s who in the zoo. The overlaps are better explained by several operators sharing malware developed by a single team. But overlapping geography and TTPs doesn’t mean a single “Lazarus Group” is orchestrating all these attacks. We know the North Korean crews target cryptocurrency wallets and exchanges, but the split of the bounty/booty between the operators’ personal crypto-stashes and government coffers is a bit of a mystery.įurther, all the North Korean groups we list in this article use wipers or ransomware, and all use similar packers to mask malicious files. It’s often hard to know where the state-directed activity stops and the operator side-hustles start. The DPRK doesn’t make this clustering easy. We’re in the second camp: DPRK activity should be clustered among a few related groups.
When it comes to North Korean cyber activity, analysts fall into one of two camps: The “it’s all Lazarus” camp or the “it’s complicated camp”.
0 kommentar(er)
